CN116366367A - DDoS attack detection method and device based on PCUSUM algorithm - Google Patents

DDoS attack detection method and device based on PCUSUM algorithm Download PDF

Info

Publication number
CN116366367A
CN116366367A CN202310512289.4A CN202310512289A CN116366367A CN 116366367 A CN116366367 A CN 116366367A CN 202310512289 A CN202310512289 A CN 202310512289A CN 116366367 A CN116366367 A CN 116366367A
Authority
CN
China
Prior art keywords
detection
time period
tcp
packets
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310512289.4A
Other languages
Chinese (zh)
Inventor
莫家庆
林瑜华
申伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhaoqing University
Original Assignee
Zhaoqing University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhaoqing University filed Critical Zhaoqing University
Priority to CN202310512289.4A priority Critical patent/CN116366367A/en
Publication of CN116366367A publication Critical patent/CN116366367A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a DDoS attack detection method and a device based on PCUSUM algorithm, wherein the method comprises the following steps: determining a plurality of detection time periods; counting the unacknowledged rate information of the TCP message in each detection time period in real time, and correcting based on a correction algorithm to generate a detection sequence value; based on the PCUSUM algorithm model, determining whether the target equipment is attacked by DDoS according to the detection sequence value, and alarming. Therefore, the invention can solve the problems of complex mechanism, need of establishing detailed models of attack behaviors and the like of the existing DDoS attack detection technology of the victim end, has the characteristics of high detection speed and less resource consumption, and effectively improves the detection accuracy and the real-time performance.

Description

DDoS attack detection method and device based on PCUSUM algorithm
Technical Field
The invention relates to the technical field of network security, in particular to a DDoS attack detection method and device based on PCUSUM algorithm.
Background
The distributed denial of service DDoS (Distributed Denial of Service) uses a large number of puppet hosts in different geographic locations to attack and forge source IP, so that the victim host is difficult to defend and track the attack source, and the harm is huge, which becomes one of the main threats of the internet. Among them, DDoS utilizing a vulnerability of TCP/IP protocol becomes an attack most commonly used and most difficult to prevent by hackers on the internet. In addition, some DDoS attack tools such as Hyenae, tfn2k and the like can be easily obtained from the internet, so that illegal personnel without strong expertise can launch malicious attacks on various network service providers, and the illegal personnel cannot provide normal services for legal users. Since DDoS attacks pose serious harm to economy and resources, prevention, detection and tracking of DDoS attacks are research hotspots for network security.
DDoS attack detection is divided into source end detection, intermediate network detection and victim end detection according to different deployment positions. The DDoS attack aims to deplete the resources of the target host and maliciously occupy the bandwidth, so that the traffic is large at the attacked part, the characteristics are obvious, and the detection at the victim end is more feasible. In general, DDoS attacks can cause network or host traffic to vary greatly, representing statistically abnormal conditions. In the normal TC P communication process, both the sender and the receiver send messages acknowledged by each other. When the network traffic is abnormal, the condition that the message is not confirmed can occur.
The current network attack detection method is mainly divided into two methods, namely a machine learning method and a statistical method. The machine learning detection method uses network data to train a model, and combines techniques such as data mining and the like to mine implicit rules and complex modes from massive data, so as to obtain a specific detection model for judging whether DDoS attack exists. However, the training process involves data cleaning, feature selection, feature conversion and the like, so that the detection model is highly fitted with training data, and the generalization capability of the detection model is low. The detection method based on the statistical method is used for understanding knowledge and rules by analyzing network data, has the characteristics of objectivity, accuracy, testability and the like, and becomes an important method for detecting DDoS attack.
With the continuous expansion of the internet scale and the continuous deepening of internet economy, how to accurately detect abnormal traffic, discover DDoS attacks as soon as possible, and it becomes necessary to reduce the loss caused by the attacks.
Disclosure of Invention
The invention aims to solve the technical problem of providing the DDoS attack detection method and the device based on the PCUSUM algorithm, which have the characteristics of high detection speed and less resource consumption, and effectively improve the detection accuracy and the real-time performance.
In order to solve the technical problem, the first aspect of the present invention discloses a DDoS attack detection method based on PCUSUM algorithm, the method comprising:
determining a plurality of detection time periods;
counting the unacknowledged rate information of the TCP message in each detection time period in real time, and correcting based on a correction algorithm to generate a detection sequence value;
based on the PCUSUM algorithm model, determining whether the target equipment is attacked by DDoS according to the detection sequence value, and alarming.
As an optional implementation manner, in the first aspect of the present invention, the determining a plurality of detection time periods includes:
selecting a period of time T, dividing it equally into n time periods, each time period being respectively denoted as T 1 ,t 2 ,…,t n
In an optional implementation manner, in a first aspect of the present invention, the counting, in real time, the TCP packet unacknowledged rate information in each detection time period, and correcting based on a correction algorithm, to generate a detection sequence value includes:
during time period t i (1=<i<-n) grabbing all IP packets, if the data carried by the IP packets are TCP packets, storing the IP packets in an array;
if the i>1, i.e. not first capturing the data packet, then time period t i Internally grabbed IP packets and time period t i-1 The unacknowledged TCP message Duan Shuzu ack_last is compared to find t i-1 TCP segment not acknowledged within time period during time period t i The number of the inner confirmation is recorded in X [ i-1 ]]In (a) and (b);
finding the time period t by means of double-loop i The total number of the inner TCP acknowledgement packets is recorded in the variable num, and the unacknowledged TCP is correspondingThe IP packet is recorded in an ack array;
period of time t i An array of unacknowledged TCP messages within the packet is given a unit_last, which is a time period t i The number num of TCP messages that have been acknowledged within is given to num_last, which gives the time period t i The sum num of all IP packets grabbed in is given to num_last, which is the next time period t i+1 The correction of the TCP acknowledged packet rate in the buffer is prepared; wherein Uack_last, num_last, total_last represent time period t, respectively i-1 An array of unacknowledged TCP messages, a number of acknowledged TCP messages, a total number of IP packets captured containing TCP messages;
if i<I=i+1, and back to executing the time period t i (1=<i<N) grabbing all IP packets, if the data loaded by the IP packets are TCP packets, storing the IP packets in an array, and counting the next time period t i+1 Internal detection sequence value X [ i ]]Otherwise, ending.
As an optional implementation manner, in the first aspect of the present invention, the determining, based on the PCUSUM algorithm model and according to the detection sequence value, whether the target device is subject to a DDoS attack, and alarming, includes:
reading the detection sequence value arrays X1-X i;
accumulating X [ i ] where 1< =s < i < =n, and generating an alarm if the following expression is satisfied:
Figure BDA0004217817050000031
wherein N is an attack detection threshold, d is the value of an artificial transformation factor, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1];
in the case of continuous detection, the continuous detection problem is broken down into a series of test procedures, assuming a new test procedure is performed from time period t m+1 Beginning, accumulate sum P i Equivalent to
Figure BDA0004217817050000032
Accumulation sum P i The iterative formula of (2) is as follows:
Figure BDA0004217817050000033
i.e., starting from i=2, the detection sequence is calculated and detected according to the above formula;
wherein max represents the maximum value of the two, and m is determined by the following formula:
m=max{j:j<n,P j =0},P 0 =0;
the condition for triggering the alarm is still P i >N;
If i < = n, i=i+1, the operation of reading the detection sequence value arrays X [1] to X [ i ] is continued, otherwise, the detection is ended.
The second aspect of the present invention discloses a DDoS attack detection device based on PCUSUM algorithm, the device comprising:
a determining module for determining a plurality of detection time periods;
the statistics module is used for counting the unacknowledged rate information of the TCP message in each detection time period in real time, and correcting the unacknowledged rate information based on a correction algorithm to generate a detection sequence value;
and the judging module is used for determining whether the target equipment is under DDoS attack or not according to the detection sequence value based on the PCUSUM algorithm model.
As an optional implementation manner, in the second aspect of the present invention, the determining module determines a specific manner of determining a plurality of detection time periods, including:
selecting a period of time T, dividing it equally into n time periods, each time period being respectively denoted as T 1 ,t 2 ,…,t n
In a second aspect of the present invention, the statistics module counts the unacknowledged rate information of the TCP packets in each detection time period in real time, and corrects the unacknowledged rate information based on a correction algorithm to generate a specific manner of detecting a sequence value, including:
during time period t i (1=<i<-n) grabbing all IP packets, if the data carried by the IP packets are TCP packets, storing the IP packets in an array;
if the i>1, i.e. not first capturing the data packet, then time period t i Internally grabbed IP packets and time period t i-1 The unacknowledged TCP message Duan Shuzu ack_last is compared to find t i-1 TCP segment not acknowledged within time period during time period t i The number of the inner confirmation is recorded in X [ i-1 ]]In (a) and (b);
finding the time period t by means of double-loop i The total number of the inner TCP acknowledgement packets is recorded in a variable num, and meanwhile, the IP packets corresponding to the unacknowledged TCP are recorded in a unit array;
period of time t i An array of unacknowledged TCP messages within the packet is given a unit_last, which is a time period t i The number num of TCP messages that have been acknowledged within is given to num_last, which gives the time period t i The sum num of all IP packets grabbed in is given to num_last, which is the next time period t i+1 The correction of the TCP acknowledged packet rate in the buffer is prepared; wherein Uack_last, num_last, total_last represent time period t, respectively i-1 An array of unacknowledged TCP messages, a number of acknowledged TCP messages, a total number of IP packets captured containing TCP messages;
if i<I=i+1, and back to executing the time period t i (1=<i<N) grabbing all IP packets, if the data loaded by the IP packets are TCP packets, storing the IP packets in an array, and counting the next time period t i+1 Internal detection sequence value X [ i ]]Otherwise, ending.
In a second aspect of the present invention, the determining module determines, based on a PCUSUM algorithm model and according to the detection sequence value, whether the target device is subject to DDoS attack, and performs an alarm specific manner, including:
reading the detection sequence value arrays X1-X i;
accumulating X [ i ] where 1< =s < i < =n, and generating an alarm if the following expression is satisfied:
Figure BDA0004217817050000051
wherein N is an attack detection threshold, d is the value of an artificial transformation factor, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1];
in the case of continuous detection, the continuous detection problem is broken down into a series of test procedures, assuming a new test procedure is performed from time period t m+1 Beginning, accumulate sum P i Equivalent to
Figure BDA0004217817050000052
Accumulation sum P i The iterative formula of (2) is as follows:
Figure BDA0004217817050000053
i.e., starting from i=2, the detection sequence is calculated and detected according to the above formula;
wherein max represents the maximum value of the two, and m is determined by the following formula:
m=max{j:j<n,P j =0},P 0 =0;
the condition for triggering the alarm is still P i >N;
If i < = n, i=i+1, the operation of reading the detection sequence value arrays X [1] to X [ i ] is continued, otherwise, the detection is ended.
The third aspect of the present invention discloses another DDoS attack detection device based on PCUSUM algorithm, the device comprising:
a memory storing executable program code;
a processor coupled to the memory;
the processor invokes the executable program code stored in the memory to execute some or all of the steps in the PCUSUM algorithm-based DDoS attack detection method disclosed in the first aspect of the present invention.
A fourth aspect of the present invention discloses a computer storage medium storing computer instructions for executing part or all of the steps of the PCUSUM algorithm-based DDoS attack detection method disclosed in the first aspect of the present invention when the computer instructions are called.
Compared with the prior art, the invention has the following beneficial effects:
the invention can solve the problems of complex mechanism, need of establishing detailed models of attack behaviors and the like of the existing DDoS attack detection technology of the victim end, has the characteristics of high detection speed and less resource consumption, and effectively improves the detection accuracy and instantaneity.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a DDoS attack detection method based on PCUSUM algorithm according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a DDoS attack detection device based on PCUSUM algorithm according to an embodiment of the present invention;
fig. 3 is a flowchart illustrating a sequence generating step of a DDoS attack detecting method based on a PCUSUM algorithm according to an embodiment of the present invention;
fig. 4 is a schematic flow chart of a detection alarm step of a DDoS attack detection method based on PCUSUM algorithm according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another DDoS attack detection device based on PCUSUM algorithm according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms first, second and the like in the description and in the claims and in the above-described figures are used for distinguishing between different objects and not necessarily for describing a sequential or chronological order. Furthermore, the terms "comprise" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, apparatus, article, or article that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or article.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the invention. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments.
The invention discloses a DDoS attack detection method and device based on a PCUSUM algorithm, which can solve the problems that the existing victim DDoS attack detection technology is complex in mechanism, a detailed model of attack behavior needs to be established and the like, and has the characteristics of high detection speed and less resource consumption, and the detection accuracy and instantaneity are effectively improved. The following will describe in detail.
Example 1
Referring to fig. 1, fig. 1 is a flow chart of a DDoS attack detection method based on PCUSUM algorithm according to an embodiment of the present invention. The method described in fig. 1 may be applied to a corresponding data processing device, a data processing terminal, and a data processing server, where the server may be a local server or a cloud server, and the embodiment of the present invention is not limited.
As shown in fig. 1, the DDoS attack detection method based on the PCUSUM algorithm may include the following operations:
101. determining a plurality of detection time periods;
102. counting the unacknowledged rate information of the TCP message in each detection time period in real time, and correcting based on a correction algorithm to generate a detection sequence value;
103. based on the PCUSUM algorithm model, determining whether the target equipment is attacked by DDoS according to the detection sequence value, and alarming.
Therefore, the method described by the embodiment of the invention can solve the problems of complex mechanism, need of establishing detailed models of attack behaviors and the like of the existing DDoS attack detection technology of the victim end, has the characteristics of high detection speed and low resource consumption, and effectively improves the detection accuracy and instantaneity.
As an alternative embodiment, in the step above, determining a plurality of detection time periods includes:
selecting a period of time T, dividing it equally into n time periods, each time period being respectively denoted as T 1 ,t 2 ,…,t n
As an optional embodiment, in the step, counting the unacknowledged rate information of the TCP packet in each detection time period in real time, and correcting based on a correction algorithm to generate a detection sequence value, including:
during time period t i (1=<i<-n) grabbing all IP packets, if the data carried by the IP packets are TCP packets, storing the IP packets in an array;
if the i>1, i.e. not first capturing the data packet, then time is taken to be weekPeriod t i Internally grabbed IP packets and time period t i-1 The unacknowledged TCP message Duan Shuzu ack_last is compared to find t i-1 TCP segment not acknowledged within time period during time period t i The number of the inner confirmation is recorded in X [ i-1 ]]In (a) and (b);
finding the time period t by means of double-loop i The total number of the inner TCP acknowledgement packets is recorded in a variable num, and meanwhile, the IP packets corresponding to the unacknowledged TCP are recorded in a unit array;
period of time t i An array of unacknowledged TCP messages within the packet is given a unit_last, which is a time period t i The number num of TCP messages that have been acknowledged within is given to num_last, which gives the time period t i The sum num of all IP packets grabbed in is given to num_last, which is the next time period t i+1 The correction of the TCP acknowledged packet rate in the buffer is prepared; wherein Uack_last, num_last, total_last represent time period t, respectively i-1 An array of unacknowledged TCP messages, a number of acknowledged TCP messages, a total number of IP packets captured containing TCP messages;
if i<I=i+1, and back to executing the time period t i (1=<i<N) grabbing all IP packets, if the data loaded by the IP packets are TCP packets, storing the IP packets in an array, and counting the next time period t i+1 Internal detection sequence value X [ i ]]Otherwise, ending.
The above two alternative embodiments illustrate the steps of generating a detection sequence in the attack detection method of the present invention, and the details of the steps can be seen in fig. 3.
Specifically, DDoS attacks mainly exploit the drawbacks of the TCP protocol. The TCP protocol provides reliable, connection-oriented data streaming to user processes on the basis of network layer IP packets. The header of the IP packet containing the TCP packet includes the source address src, destination address dst, sequence number seq, acknowledgement number ack. The segments transmitted by TCP can be regarded as a continuous data stream and therefore each byte transmitted needs to be numbered. The sequence number in the header of a segment sent by TCP each time indicates the number of the 1 st byte of the segment. For example, if the receiving end has correctly received the 1 st byte sequence number s and the last byte sequence number w, the acknowledgement number sent to the receiving end should be w+1, which indicates that all the preceding messages have been correctly received, and the 1 st byte sequence number of the next message segment that it is desired to receive is w+1.TCP connections can provide full duplex communications where both parties do not have to send special acknowledgement segments, but rather use a piggyback approach to the transmitted data, which helps to improve communication efficiency. In normal communication, there are few segments that are not acknowledged by both parties, i.e., there are few segments that are not acknowledged compared to the total number.
The purpose of DDOS attacks is to consume resources of the victim, the attacker initiates the DDOS attack, and the victim host responds with a large number of segments that are sent without response, so the number of unacknowledged segments is continuously increasing. Assuming that the message segment sequences of the transmitting and receiving parties are { p_tcp_1, p_tcp_2, …, p_tcp_n } in a normal communication process, for any message segment p_tcp_i, it is confirmed that all message segments p_tcp_j (1 < =j < i) are received, that is, the message segment of src=dst of the IP packet where p_tcp_j is located and the message segment of src of the IP packet where dst=p_tcp_i is located. Under normal conditions, the number of message segments which are not confirmed by both communication parties is small, and at the moment, a PCUSUM algorithm is used for establishing a detection sequence to detect the data stream, so that an abnormal attack stream can be detected.
As an optional embodiment, in the step, based on the PCUSUM algorithm model, determining whether the target device is subject to DDoS attack according to the detection sequence value, and alarming, including:
reading the detection sequence value arrays X1-X i;
accumulating X [ i ] where 1< =s < i < =n, and generating an alarm if the following expression is satisfied:
Figure BDA0004217817050000091
wherein N is an attack detection threshold, d is the value of an artificial transformation factor, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1]; specifically, the values of the attack detection threshold N and the artificial transformation factor d are detection keys, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1], and the reasonable values of the attack detection threshold N and the artificial transformation factor d can balance the contradiction between the detection delay and the false detection rate, so that the values of the attack detection threshold N and the artificial transformation factor d are determined according to actual conditions;
in the case of continuous detection, the continuous detection problem is broken down into a series of test procedures, assuming a new test procedure is performed from time period t m+1 Beginning, accumulate sum P i Equivalent to
Figure BDA0004217817050000092
Accumulation sum P i The iterative formula of (2) is as follows:
Figure BDA0004217817050000093
i.e., starting from i=2, the detection sequence is calculated and detected according to the above formula;
wherein max represents the maximum value of the two, and m is determined by the following formula:
m=max{j:j<n,P j =0},P 0 =0;
the condition for triggering the alarm is still P i >N;
If i < = n, i=i+1, the operation of reading the detection sequence value arrays X [1] to X [ i ] is continued, otherwise, the detection is ended.
The above alternative embodiment shows the steps of detecting an alarm in the attack detection method of the present invention, and details of the steps may be seen in fig. 4.
The above embodiment uses the PCUSUM algorithm to process the sequence X to generate an alarm. The PCUSUM algorithm is an improvement over the CUSUM algorithm in that the detection effect is more sensitive than CUSUM. PCUSUM needs to model parameters of a random sequence in order to monitor the sequence using probability density functions. Due to the internetThe business model is very complex because of the continuous change. While the PCUSUM algorithm does not require a specific rule model, the idea is to accumulate X at a higher than normal level n Is suitable for industrial monitoring of abnormal processes, and is used for processing the sequences generated by the detection sequence generation module so as to detect DDoS attacks in real time.
From the above embodiments, it can be seen that the advantages of the present invention include at least:
the invention provides a DDoS attack detection method based on a PCUSUM algorithm, which detects according to the obvious characteristic of rapid improvement of the unacknowledged rate of a TCP message segment during DDoS attack and solves the problems that the existing detection technology is complex in mechanism and needs to establish a detailed model of attack behavior.
The correction algorithm is adopted when the unacknowledged rate of the TCP message segment in each time period is established, and the accuracy of the detection sequence value is improved.
According to the invention, when judging whether the TCP message segment is confirmed, the invention adopts a simplified form of judging that the source address and the target address of the IP packet where the TCP message segment is positioned are equal to the target address and the source address of the IP packet before or in the last time period in the time period respectively, so that statistics of unacknowledged rate of the TCP message segment is simpler and faster.
Example two
Referring to fig. 2, fig. 2 is a schematic structural diagram of a DDoS attack detection device based on PCUSUM algorithm according to an embodiment of the present invention. The apparatus described in fig. 2 may be applied to a corresponding data processing device, a data processing terminal, and a data processing server, where the server may be a local server or a cloud server, and embodiments of the present invention are not limited. As shown in fig. 2, the apparatus may include:
a determining module 201, configured to determine a plurality of detection time periods;
the statistics module 202 is configured to count the unacknowledged rate information of the TCP packet in each detection time period in real time, and correct the unacknowledged rate information based on a correction algorithm, so as to generate a detection sequence value;
and the judging module 203 is configured to determine whether the target device is under DDoS attack according to the detection sequence value based on the PCUSUM algorithm model.
Therefore, the device described by the embodiment of the invention can solve the problems of complex mechanism, need of establishing a detailed model of attack behavior and the like of the existing DDoS attack detection technology of the victim end, has the characteristics of high detection speed and less resource consumption, and effectively improves the detection accuracy and instantaneity.
As an alternative embodiment, the determining module 201 determines a specific manner of determining a plurality of detection time periods, including:
selecting a period of time T, dividing it equally into n time periods, each time period being respectively denoted as T 1 ,t 2 ,…,t n
As an alternative embodiment, the statistics module 202 counts the unacknowledged rate information of the TCP packets in each detection time period in real time, and corrects the unacknowledged rate information based on a correction algorithm, so as to generate a specific manner of detecting the sequence value, which includes:
during time period t i (1=<i<-n) grabbing all IP packets, if the data carried by the IP packets are TCP packets, storing the IP packets in an array;
if the i>1, i.e. not first capturing the data packet, then time period t i Internally grabbed IP packets and time period t i-1 The unacknowledged TCP message Duan Shuzu ack_last is compared to find t i-1 TCP segment not acknowledged within time period during time period t i The number of the inner confirmation is recorded in X [ i-1 ]]In (a) and (b);
finding the time period t by means of double-loop i The total number of the inner TCP acknowledgement packets is recorded in a variable num, and meanwhile, the IP packets corresponding to the unacknowledged TCP are recorded in a unit array;
period of time t i An array of unacknowledged TCP messages within the packet is given a unit_last, which is a time period t i The number num of TCP messages that have been acknowledged within is given to num_last, which gives the time period t i The sum num of all IP packets grabbed internally is given to num_last, which is the next time countedPeriod t i+1 The correction of the TCP acknowledged packet rate in the buffer is prepared; wherein Uack_last, num_last, total_last represent time period t, respectively i-1 An array of unacknowledged TCP messages, a number of acknowledged TCP messages, a total number of IP packets captured containing TCP messages;
if i<I=i+1, and back to executing the time period t i (1=<i<N) grabbing all IP packets, if the data loaded by the IP packets are TCP packets, storing the IP packets in an array, and counting the next time period t i+1 Internal detection sequence value X [ i ]]Otherwise, ending.
The above two alternative embodiments illustrate the steps of generating a detection sequence according to the present invention, the technical details of which can be seen in fig. 3.
Specifically, DDoS attacks mainly exploit the drawbacks of the TCP protocol. The TCP protocol provides reliable, connection-oriented data streaming to user processes on the basis of network layer IP packets. The header of the IP packet containing the TCP packet includes the source address src, destination address dst, sequence number seq, acknowledgement number ack. The segments transmitted by TCP can be regarded as a continuous data stream and therefore each byte transmitted needs to be numbered. The sequence number in the header of a segment sent by TCP each time indicates the number of the 1 st byte of the segment. For example, if the receiving end has correctly received the 1 st byte sequence number s and the last byte sequence number w, the acknowledgement number sent to the receiving end should be w+1, which indicates that all the preceding messages have been correctly received, and the 1 st byte sequence number of the next message segment that it is desired to receive is w+1.TCP connections can provide full duplex communications where both parties do not have to send special acknowledgement segments, but rather use a piggyback approach to the transmitted data, which helps to improve communication efficiency. In normal communication, there are few segments that are not acknowledged by both parties, i.e., there are few segments that are not acknowledged compared to the total number.
The purpose of DDOS attacks is to consume resources of the victim, the attacker initiates the DDOS attack, and the victim host responds with a large number of segments that are sent without response, so the number of unacknowledged segments is continuously increasing. Assuming that the message segment sequences of the transmitting and receiving parties are { p_tcp_1, p_tcp_2, …, p_tcp_n } in a normal communication process, for any message segment p_tcp_i, it is confirmed that all message segments p_tcp_j (1 < =j < i) are received, that is, the message segment of src=dst of the IP packet where p_tcp_j is located and the message segment of src of the IP packet where dst=p_tcp_i is located. Under normal conditions, the number of message segments which are not confirmed by both communication parties is small, and at the moment, a PCUSUM algorithm is used for establishing a detection sequence to detect the data stream, so that an abnormal attack stream can be detected.
As an optional embodiment, the determining module 203 determines, based on the PCUSUM algorithm model and according to the detection sequence value, whether the target device is subject to a DDoS attack, and performs an alarm specific manner, including:
reading the detection sequence value arrays X1-X i;
accumulating X [ i ] where 1< =s < i < =n, and generating an alarm if the following expression is satisfied:
Figure BDA0004217817050000121
wherein N is an attack detection threshold, d is the value of an artificial transformation factor, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1]; specifically, the values of the attack detection threshold N and the artificial transformation factor d are detection keys, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1], and the reasonable values of the attack detection threshold N and the artificial transformation factor d can balance the contradiction between the detection delay and the false detection rate, so that the values of the attack detection threshold N and the artificial transformation factor d are determined according to actual conditions;
in the case of continuous detection, the continuous detection problem is broken down into a series of test procedures, assuming a new test procedure is performed from time period t m+1 Beginning, accumulate sum P i Equivalent to
Figure BDA0004217817050000131
Accumulation sum P i The iterative formula of (2) is as follows:
Figure BDA0004217817050000132
i.e., starting from i=2, the detection sequence is calculated and detected according to the above formula;
wherein max represents the maximum value of the two, and m is determined by the following formula:
m=max{j:j<n,P j =0},P 0 =0;
the condition for triggering the alarm is still P i >N;
If i < = n, i=i+1, the operation of reading the detection sequence value arrays X [1] to X [ i ] is continued, otherwise, the detection is ended.
The above alternative embodiment shows the steps of detecting an alarm in the present invention, and its technical details can be seen in fig. 4.
The above embodiment uses the PCUSUM algorithm to process the sequence X to generate an alarm. The PCUSUM algorithm is an improvement over the CUSUM algorithm in that the detection effect is more sensitive than CUSUM. PCUSUM needs to model parameters of a random sequence in order to monitor the sequence using probability density functions. The corresponding business model is very complex because the internet is constantly changing and is very numerous. While the PCUSUM algorithm does not require a specific rule model, the idea is to accumulate X at a higher than normal level n Is suitable for industrial monitoring of abnormal processes, and is used for processing the sequences generated by the detection sequence generation module so as to detect DDoS attacks in real time.
From the above embodiments, it can be seen that the advantages of the present invention include at least:
the invention provides a DDoS attack detection method based on a PCUSUM algorithm, which detects according to the obvious characteristic of rapid improvement of the unacknowledged rate of a TCP message segment during DDoS attack and solves the problems that the existing detection technology is complex in mechanism and needs to establish a detailed model of attack behavior.
The correction algorithm is adopted when the unacknowledged rate of the TCP message segment in each time period is established, and the accuracy of the detection sequence value is improved.
According to the invention, when judging whether the TCP message segment is confirmed, the invention adopts a simplified form of judging that the source address and the target address of the IP packet where the TCP message segment is positioned are equal to the target address and the source address of the IP packet before or in the last time period in the time period respectively, so that statistics of unacknowledged rate of the TCP message segment is simpler and faster.
Example III
Referring to fig. 5, fig. 5 is a schematic structural diagram of another DDoS attack detection device based on PCUSUM algorithm according to an embodiment of the present invention. As shown in fig. 5, the apparatus may include:
a memory 301 storing executable program code;
a processor 302 coupled with the memory 301;
the processor 302 invokes executable program code stored in the memory 301 to perform some or all of the steps in the PCUSUM algorithm-based DDoS attack detection method disclosed in the embodiment of the present invention.
Example IV
The embodiment of the invention discloses a computer storage medium which stores computer instructions for executing part or all of the steps in the DDoS attack detection method based on PCUSUM algorithm disclosed in the embodiment of the invention when the computer instructions are called.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above detailed description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course by means of hardware. Based on such understanding, the foregoing technical solutions may be embodied essentially or in part in the form of a software product that may be stored in a computer-readable storage medium including Read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), programmable Read-Only Memory (Programmable Read-Only Memory, PROM), erasable programmable Read-Only Memory (Erasable Programmable Read Only Memory, EPROM), one-time programmable Read-Only Memory (OTPROM), electrically erasable programmable Read-Only Memory (EEPROM), compact disc Read-Only Memory (Compact Disc Read-Only Memory, CD-ROM) or other optical disc Memory, magnetic disc Memory, tape Memory, or any other medium that can be used for computer-readable carrying or storing data.
Finally, it should be noted that: the embodiment of the invention discloses a DDoS attack detection method and device based on PCUSUM algorithm, which are disclosed as preferred embodiments of the invention, and are only used for illustrating the technical scheme of the invention, but not limiting the technical scheme; although the invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that; the technical scheme recorded in the various embodiments can be modified or part of technical features in the technical scheme can be replaced equivalently; such modifications and substitutions do not depart from the spirit and scope of the corresponding technical solutions.

Claims (10)

1. A DDoS attack detection method based on PCUSUM algorithm, the method comprising:
determining a plurality of detection time periods;
counting the unacknowledged rate information of the TCP message in each detection time period in real time, and correcting based on a correction algorithm to generate a detection sequence value;
based on the PCUSUM algorithm model, determining whether the target equipment is attacked by DDoS according to the detection sequence value, and alarming.
2. The PCUSUM algorithm-based DDoS attack detection method of claim 1, wherein the determining a plurality of detection time periods comprises:
selecting a period of time T, dividing it equally into n time periods, each time period being respectively denoted as T 1 ,t 2 ,…,t n
3. The DDoS attack detection method based on PCUSUM algorithm of claim 2, wherein the counting TCP message unacknowledged rate information in each detection time period in real time and correcting based on a correction algorithm to generate a detection sequence value comprises:
during time period t i (1=<i<-n) grabbing all IP packets, if the data carried by the IP packets are TCP packets, storing the IP packets in an array;
if the i>1, i.e. not first capturing the data packet, then time period t i Internally grabbed IP packets and time period t i-1 The unacknowledged TCP message Duan Shuzu ack_last is compared to find t i-1 TCP segment not acknowledged within time period during time period t i The number of the inner confirmation is recorded in X [ i-1 ]]In (a) and (b);
finding the time period t by means of double-loop i The total number of the inner TCP acknowledgement packets is recorded in a variable num, and meanwhile, the IP packets corresponding to the unacknowledged TCP are recorded in a unit array;
period of time t i An array of unacknowledged TCP messages within the packet is given a unit_last, which is a time period t i The number num of TCP messages that have been acknowledged within is given to num_last, which gives the time period t i The sum num of all IP packets grabbed in is given to num_last, which is the next time period t i+1 The correction of the TCP acknowledged packet rate in the buffer is prepared; wherein Uack_last, num_last, total_last represent time period t, respectively i-1 TCP messages that are not acknowledged internallyAn array of messages, a number of TCP messages that have been acknowledged, a total number of IP packets that contain TCP messages that are grabbed;
if i<I=i+1, and back to executing the time period t i (1=<i<N) grabbing all IP packets, if the data loaded by the IP packets are TCP packets, storing the IP packets in an array, and counting the next time period t i+1 Internal detection sequence value X [ i ]]Otherwise, ending.
4. The PCUSUM algorithm-based DDoS attack detection method of claim 3, wherein the determining whether the target device is subjected to the DDoS attack based on the PCUSUM algorithm model according to the detection sequence value, and alarming, comprises:
reading the detection sequence value arrays X1-X i;
accumulating X [ i ] where 1< =s < i < =n, and generating an alarm if the following expression is satisfied:
Figure FDA0004217817040000021
wherein N is an attack detection threshold, d is the value of an artificial transformation factor, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1];
in the case of continuous detection, the continuous detection problem is broken down into a series of test procedures, assuming a new test procedure is performed from time period t m+1 Beginning, accumulate sum P i Equivalent to
Figure FDA0004217817040000022
Accumulation sum P i The iterative formula of (2) is as follows:
Figure FDA0004217817040000023
i.e., starting from i=2, the detection sequence is calculated and detected according to the above formula;
wherein max represents the maximum value of the two, and m is determined by the following formula:
m=max{j:j<n,P j =0},P 0 =0;
the condition for triggering the alarm is still P i >N;
If i < = n, i=i+1, the operation of reading the detection sequence value arrays X [1] to X [ i ] is continued, otherwise, the detection is ended.
5. A DDoS attack detection apparatus based on PCUSUM algorithm, the apparatus comprising:
a determining module for determining a plurality of detection time periods;
the statistics module is used for counting the unacknowledged rate information of the TCP message in each detection time period in real time, and correcting the unacknowledged rate information based on a correction algorithm to generate a detection sequence value;
and the judging module is used for determining whether the target equipment is under DDoS attack or not according to the detection sequence value based on the PCUSUM algorithm model.
6. The PCUSUM algorithm-based DDoS attack detection apparatus of claim 5, wherein the determining module determines a specific manner of a plurality of detection time periods, comprising:
selecting a period of time T, dividing it equally into n time periods, each time period being respectively denoted as T 1 ,t 2 ,…,t n
7. The DDoS attack detection apparatus based on PCUSUM algorithm of claim 6, wherein the statistics module counts TCP packet unacknowledged rate information in each detection time period in real time, and corrects based on a correction algorithm to generate a specific manner of detecting a sequence value, and the specific manner includes:
during time period t i (1=<i<=n) inner grabbing all IP packets if the IP packets are loadedStoring the IP packet into an array if the data is a TCP message;
if the i>1, i.e. not first capturing the data packet, then time period t i Internally grabbed IP packets and time period t i-1 The unacknowledged TCP message Duan Shuzu ack_last is compared to find t i-1 TCP segment not acknowledged within time period during time period t i The number of the inner confirmation is recorded in X [ i-1 ]]In (a) and (b);
finding the time period t by means of double-loop i The total number of the inner TCP acknowledgement packets is recorded in a variable num, and meanwhile, the IP packets corresponding to the unacknowledged TCP are recorded in a unit array;
period of time t i An array of unacknowledged TCP messages within the packet is given a unit_last, which is a time period t i The number num of TCP messages that have been acknowledged within is given to num_last, which gives the time period t i The sum num of all IP packets grabbed in is given to num_last, which is the next time period t i+1 The correction of the TCP acknowledged packet rate in the buffer is prepared; wherein Uack_last, num_last, total_last represent time period t, respectively i-1 An array of unacknowledged TCP messages, a number of acknowledged TCP messages, a total number of IP packets captured containing TCP messages;
if i<I=i+1, and back to executing the time period t i (1=<i<N) grabbing all IP packets, if the data loaded by the IP packets are TCP packets, storing the IP packets in an array, and counting the next time period t i+1 Internal detection sequence value X [ i ]]Otherwise, ending.
8. The DDoS attack detection apparatus based on PCUSUM algorithm of claim 7, wherein the determining module determines whether the target device is subjected to DDoS attack according to the detection sequence value based on a PCUSUM algorithm model, and the specific way of alarming comprises:
reading the detection sequence value arrays X1-X i;
accumulating X [ i ] where 1< =s < i < =n, and generating an alarm if the following expression is satisfied:
Figure FDA0004217817040000041
wherein N is an attack detection threshold, d is the value of an artificial transformation factor, N is an integer and the value range is [1,10], d is a decimal and the value range is [0,1];
in the case of continuous detection, the continuous detection problem is broken down into a series of test procedures, assuming a new test procedure is performed from time period t m+1 Beginning, accumulate sum P i Equivalent to
Figure FDA0004217817040000042
Accumulation sum P i The iterative formula of (2) is as follows:
Figure FDA0004217817040000043
i.e., starting from i=2, the detection sequence is calculated and detected according to the above formula;
wherein max represents the maximum value of the two, and m is determined by the following formula:
m=max{j:j<n,P j =0},P 0 =0;
the condition for triggering the alarm is still P i >N;
If i < = n, i=i+1, the operation of reading the detection sequence value arrays X [1] to X [ i ] is continued, otherwise, the detection is ended.
9. A DDoS attack detection apparatus based on PCUSUM algorithm, the apparatus comprising:
a memory storing executable program code;
a processor coupled to the memory;
the processor invokes the executable program code stored in the memory to perform the PCUSUM algorithm-based DDoS attack detection method of any of claims 1-4.
10. A computer storage medium storing computer instructions for performing the PCUSUM algorithm-based DDoS attack detection method according to any of claims 1-4 when called.
CN202310512289.4A 2023-05-08 2023-05-08 DDoS attack detection method and device based on PCUSUM algorithm Pending CN116366367A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310512289.4A CN116366367A (en) 2023-05-08 2023-05-08 DDoS attack detection method and device based on PCUSUM algorithm

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310512289.4A CN116366367A (en) 2023-05-08 2023-05-08 DDoS attack detection method and device based on PCUSUM algorithm

Publications (1)

Publication Number Publication Date
CN116366367A true CN116366367A (en) 2023-06-30

Family

ID=86928846

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310512289.4A Pending CN116366367A (en) 2023-05-08 2023-05-08 DDoS attack detection method and device based on PCUSUM algorithm

Country Status (1)

Country Link
CN (1) CN116366367A (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 DDoS (distributed denial of service) attach detection method based on information entropy
CN110493260A (en) * 2019-09-12 2019-11-22 贵州电网有限责任公司 A kind of network flood model attack detection method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104202336A (en) * 2014-09-22 2014-12-10 浪潮电子信息产业股份有限公司 DDoS (distributed denial of service) attach detection method based on information entropy
CN110493260A (en) * 2019-09-12 2019-11-22 贵州电网有限责任公司 A kind of network flood model attack detection method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
莫家庆等: "非参数PCUSUM算法DDoS攻击检测", 计算机工程与应用, pages 96 - 98 *

Similar Documents

Publication Publication Date Title
US11700275B2 (en) Detection of malware and malicious applications
Zhijun et al. Low-rate DoS attacks, detection, defense, and challenges: a survey
US10284594B2 (en) Detecting and preventing flooding attacks in a network environment
Schuba et al. Analysis of a denial of service attack on TCP
CN102457489B (en) Low-rate DoS (LDoS) attack, detection and defense module
TWI405434B (en) Botnet early detection using hhmm algorithm
CN109040140B (en) Slow attack detection method and device
Seo et al. APFS: adaptive probabilistic filter scheduling against distributed denial-of-service attacks
CN105429940B (en) A method of the extraction of network data flow zero watermarking is carried out using comentropy and hash function
CN109756515B (en) Black hole attack detection and tracking method based on suspicion degree accumulation
Das et al. Flood control: Tcp-syn flood detection for software-defined networks using openflow port statistics
CN112788039A (en) DDoS attack identification method, device and storage medium
Malliga et al. A proposal for new marking scheme with its performance evaluation for IP traceback
CN116366367A (en) DDoS attack detection method and device based on PCUSUM algorithm
RU2768536C1 (en) Method of protecting service server from ddos attacks
CN116318977A (en) Attack traffic detection method, device, equipment and storage medium
CN117459298A (en) DoS attack detection method and device based on flow rate statistics and storage medium
CN115037528A (en) Abnormal flow detection method and device
Kim et al. Attacker Traceback and Countermeasure with Cross-layer Monitoring in Wireless Multi-hop Networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination